Privacy Policy

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG) is:

The Capwork platform operates as a B2B service. Depending on the context, different parties assume different data protection roles under the GDPR:

• Data Subject (Betroffene Person): The end customer or individual whose personal data is processed (e.g., a person booking an appointment or sending an inquiry).
• Data Controller (Verantwortlicher): The registered business (your B2B customer) that uses the Capwork platform. The controller determines the purposes and means of data processing and is responsible for GDPR compliance toward their end customers.
• Data Processor (Auftragsverarbeiter): Capwork e.U. operates the Capwork platform as a data processor on behalf of the registered business, processing personal data solely according to the controller’s instructions and the data processing agreement.

Capwork e.U. is the data controller only for data processed for its own purposes (e.g., platform account management, billing, platform security). For all end-customer data entered by registered businesses (e.g., booking details, customer communications, uploaded documents), the registered business is the data controller and Capwork e.U. acts exclusively as data processor pursuant to Art. 28 GDPR.

We collect and process the following categories of personal data:

• Account data: email address, password (hashed), company name, location
• Contact data: name, phone number, email address (when booking appointments)
• Payment data: cardholder name, last four digits of card number (for identity verification only)
• Usage data: booking history, calendar interactions, module configurations, log data
• Technical data: IP address, browser type, device information, access timestamps
• End-customer data: any personal data that registered businesses enter into the platform on behalf of their customers (e.g., booking details, contact information, order data, communications)

We process personal data on the following legal bases under Art. 6 GDPR:

• Art. 6(1)(a) GDPR — Consent: Where you have given explicit consent for specific processing activities.
• Art. 6(1)(b) GDPR — Contract: Processing necessary for the performance of our service agreement with you.
• Art. 6(1)(c) GDPR — Legal obligation: Processing required to comply with Austrian tax and commercial law retention requirements.
• Art. 6(1)(f) GDPR — Legitimate interests: Processing for fraud prevention, platform security, and service improvement, where our interests are not overridden by your rights.

For end-customer data processed on behalf of registered businesses, the legal basis is determined by the respective business (data controller) and documented in their own privacy policy.

Your personal data is processed for the following purposes:

• Providing and operating the Capwork platform and its modules (appointments, orders, team management, fleet, inventory, finances)
• User account creation, authentication, and access management
• Processing bookings, orders, and customer communications on behalf of registered businesses
• AI-powered features: company data generation, business insights, document scanning, and feedback analysis
• Fraud prevention, identity verification, and platform security

Since Capwork e.U. acts as a data processor (Auftragsverarbeiter) for registered businesses, a Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV) pursuant to Art. 28 GDPR is concluded with every registered business during the onboarding process.

The AVV governs:

• The subject matter, duration, nature, and purpose of the data processing
• The types of personal data processed and the categories of data subjects
• The obligations and rights of the controller (registered business)
• Technical and Organizational Measures (TOMs) to ensure data security (see Section 13)
• The use and authorization of sub-processors (see Section 9)
• Obligations regarding data deletion or return upon termination of the contract

The registered business (data controller) may request a copy of the AVV at any time by contacting office@capwork.io.

Personal data is retained only for as long as necessary to fulfill the purposes described above or as required by law. Austrian commercial and tax law (BAO, UGB) may require retention of certain data for up to 7 years.

Upon account termination, your personal data will be deleted within 30 days, except where longer retention is required by law. End-customer data processed on behalf of registered businesses will be deleted or returned in accordance with the AVV.

Your data may be shared with the following categories of recipients, who act as sub-processors (Unterauftragsverarbeiter) under Art. 28 GDPR:

• Google Cloud Platform (Firebase, Firestore, Cloud Functions) — infrastructure and data storage (EU region: europe-west1)
• Google Vertex AI (Gemini) — AI-powered features such as company data generation, insights, document scanning, and invoice processing (sub-processor)
• Twilio — SMS and WhatsApp notification delivery (sub-processor)

All sub-processors are listed in the AVV and are bound by data processing agreements pursuant to Art. 28 GDPR. The registered business (data controller) is informed of any changes to sub-processors and has the right to object. We do not sell your personal data to third parties.

Some of our sub-processors operate servers outside the European Economic Area (EEA). Where data is transferred to third countries (e.g., the United States), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) and adequacy decisions by the European Commission.

Google LLC and Twilio Inc. participate in the EU-U.S. Data Privacy Framework, providing an adequate level of data protection as recognized by the European Commission. Transfer mechanisms are documented in the AVV.

The Capwork platform uses only strictly necessary cookies for authentication and locale preferences. No tracking, analytics, or advertising cookies are used.

You can manage cookie settings in your browser. Disabling essential cookies may affect platform functionality.

The Capwork platform uses AI services (Google Gemini via Vertex AI) for features including automated company data generation, business insights reports, vehicle document scanning, invoice processing, and feedback analysis. Google Vertex AI acts as a sub-processor under the terms of the AVV.

Data sent to AI services is processed exclusively under Google Cloud’s Enterprise data processing terms (zero data retention). Personal data submitted to AI services is not used to train, improve, or develop AI models. This is contractually guaranteed through Google Cloud’s data processing addendum.

All AI-generated content is clearly labeled in the user interface in compliance with the EU AI Act (Art. 50). No automated decisions with legal or similarly significant effects are made without human oversight.

You may request human review of any AI-generated decision that significantly affects you by contacting us at office@capwork.io.

Capwork e.U. implements appropriate technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk. These measures include:

• Encryption of data at rest and in transit (TLS 1.2+, AES-256)
• Access controls and role-based authorization (RBAC) with Firebase Authentication
• Infrastructure hosted on Google Cloud Platform within the EU (europe-west1 region)
• Regular security assessments, input validation (Zod schemas), and rate limiting
• Logging and audit trails for data access and modifications
• Prompt injection prevention and AI safety measures for all AI-processed data

A detailed description of TOMs is annexed to the Data Processing Agreement (AVV) and is available upon request.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You may request information about what personal data we hold about you.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): You may request deletion of your data, subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR): You may request that processing be restricted under certain conditions.
• Right to data portability (Art. 20 GDPR): You may request your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests at any time.

To exercise your rights, contact us at office@capwork.io. We will respond within one month as required by Art. 12 GDPR. End customers of registered businesses should first contact the respective business (data controller) to exercise their rights.

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with the Austrian Data Protection Authority:

We reserve the right to update this Privacy Policy to reflect changes in our data processing practices or legal requirements. Material changes will be communicated to registered users via email. The current version is always available on this page.

Capwork e.U.

Inhaber: Nikolas Kain

Am Europlatz 2, 1120 Wien

Email: office@capwork.io